What’s with the shared VBA code between Transparent Tribe and other threat actors?

Researchers link VBA-based samples to threat actors in South Asia, showing code reuse across groups such as Transparent Tribe, SideCopy, Donot, and Hangover through final payloads like CrimsonRAT and ObliqueRAT. The findings emphasize shared VBA patterns, cross-group code reuse, and the risk of false flag attributions in attribution workflows. #TransparentTribe #CrimsonRAT #ObliqueRAT #Donot #OperationHangover #SDUser #SideCopy #Sidewinder

Keypoints

Researchers connect VBA samples to threat actors (e.g., Transparent Tribe) based on the final payload and victimology.
A subset of VBA samples could not be immediately attributed, prompting deeper analysis of shared code across groups.
Historical VBA code from Transparent Tribe (May 2019) shows a deterministic pattern: hardcoded payload path, a user-form with payload text, and hex-encoded payloads written as ZIPs.
Donot (APT-C-35) VBA code shows strong similarities to Transparent Tribe, suggesting code reuse between opposing targets.
Sduser (Donot/SDUser) VBA samples reveal shared elements with Transparent Tribe and Donot, including payload storage, fake error messages, and the use of VBA forms and CByte for hex decoding.
Binary payloads associated with Sduser reveal anti-sandboxing, reverse shell capabilities, and sometimes Telegram API usage for C2.

MITRE Techniques

[T1566.001] Phishing – Spearphishing Attachment – The initial infection vector is usually email, purporting to come from official sources and containing a lure, which can be a Word document or more often, an Excel spreadsheet. [“The initial infection vector is usually email, purporting to come from official sources and containing a lure, which can be a Word document or more often, an Excel spreadsheet.”]
[T1059.005] Visual Basic – VB/macros in Excel/Word used to drop and execute payloads within documents. [“Excel VBA code and its evolution over time.”]
[T1027] Obfuscated/Compressed Files and Information – Payload stored as an ASCII hex string, converted to binary, then written to disk as a ZIP; hex decoding and ZIP packaging are used to conceal the drop. [“The payload is stored as an ASCII-encoded string of hexadecimal byte values separated by a specific separator… written to disk as a ZIP compressed file.”]
[T1204] User Execution – Fake error message displayed to mislead the user before/after payload drop and execution. [“The fake message is shown… before or after the payload is dropped and executed.”]
[T1497] Virtualization/Sandbox Evasion – Anti-sandboxing checks in payloads (e.g., WindowsSecurity project) to avoid analysis. [“Anti-sandboxing checks in the Main function of the WindowsSecurity project.”]
[T1071.001] Application Layer Protocol – Web Protocols – C2 channels and reverse shell, with some payloads using Telegram API to communicate with attackers. [“launch a reverse shell to connect to an attacker controlled C2 server. Some payloads also employ Telegram API and may use it to communicate with the attackers.”]

Indicators of Compromise

[File hash] Donot samples (donot1) – 9ce56e1403469fc74c8ff61dde4e83ad72597c66ce07bbae12fa70183687b32d, donot2 – 5efde4441e4184c36a0dec9e7da4b87769a574b891862acdb4c3321d18cbca69 and 2 more hashes – (Donot family VBA dropper)
[File hash] Transparent Tribe samples (tt1) – 386ed7ba502e7bf0e60c546476c1c762cbc951eb2a2ba1f5b505be08d60310ef, tt2 – dbb9168502e819619e94d9dc211d5f4967d8083ac5f4f67742b926abb04e6676
[File hash] Operation Hangover sample (hang1) – 56349cf3188a36429c207d425dd92d8d57553b1f43648914b44965de2bd63dd6
[File hash] SDUser samples (sduser1) – a3c020bf50d39a58f5345b671c43d790cba0e2a3f631c5182437976adf970633, sduser2 – 3bbae53fc00449166fd9255b3f3192deba0b81b41b6e173d454c398a857b5094
[Filename] Maldocs – Exports promotion highlits may 2021.xls, List of Nomination of the Candidates1.xltm
[Hostname] microsoft-updates.servehttp.com, microsoft-patches.servehttp.com, microsoft-docs.myftp.org
[IP] 45.153.240.66, 46.30.188.222